I've noticed that we tend to get quite a number of spams on this forum that are so stupid they just have to be bots.
I run a forum for wargames terrain called TerraGenesis and although it isn't entirely problem free we don't get any of these. There are a number of reasons for that and some of them may not be appropriate here, however I saw a relatively simple solution to this a while back:
For a bot to make these kind of posts it has to:
1. Register for the forum.
2. Respond to the email verification.
3. Make the post.
Althought this might seem fairly sophisticated, it's not, because the bot is looking for phpBB forums and they all work the same...
...or do they?
The solution I spoke of is to add a 'question' to the registration form, along the lines of: In order to confirm that you are a human as oppsed to a spambot, please type the phrase "I am human" into the box below.
The contents of that box then need to be checked by the code that processes it. Now that the registration form is no longer a standard phpBB registration form, the bots are screwed.
A trick for keeping spambots off the forum
Moderators: winston, another_commander
- AndySlater
- Above Average
- Posts: 31
- Joined: Wed Nov 29, 2006 5:38 pm
- Contact:
Nah, most bots don't bother with registration forms at all. They write directly to the scripts that update the member list (skipping over the registration form entirely). There are a lot of mods that add verification stuff to the forms, but they only worked until the bots became smarter...
Author of Tales from the Frontier - official Elite 4 anthology.
Author of Marcan Rayger adventures - unofficial fan-fic novellas set in the Frontier universe.
Author of Marcan Rayger adventures - unofficial fan-fic novellas set in the Frontier universe.
Ouch, that sounds like an awful awful AWFUL piece of software, that doesn't bother to actually authenticate users.
PHP has always seemed like a really crappy language to me, but if users write totally insecure applications in it, that's even worse.
Never expose any part of a web app without authentication, and that's not hard to do for a programmer (one check for the session cookie, or for HTTP authentication).
Well, brave new world.
PHP has always seemed like a really crappy language to me, but if users write totally insecure applications in it, that's even worse.
Never expose any part of a web app without authentication, and that's not hard to do for a programmer (one check for the session cookie, or for HTTP authentication).
Well, brave new world.
- JensAyton
- Grand Admiral Emeritus
- Posts: 6657
- Joined: Sat Apr 02, 2005 2:43 pm
- Location: Sweden
- Contact:
PhpBB is infamously bad in this respect. Most plug-ins are worse.Ulli wrote:Ouch, that sounds like an awful awful AWFUL piece of software, that doesn't bother to actually authenticate users.
PHP has always seemed like a really crappy language to me, but if users write totally insecure applications in it, that's even worse.
E-mail: [email protected]
- AndySlater
- Above Average
- Posts: 31
- Joined: Wed Nov 29, 2006 5:38 pm
- Contact:
I'd be surprised if that's there case because there's a awful lot of stuff in phpBB to prevent the code from being hijacked, however if you are right, the solution is even easier: just change the name of the script and the legitimate calls to it from the phpBB code. Any bot designed to attack a standard phpBB forum will no longer be able to find it.Wolfwood wrote:Nah, most bots don't bother with registration forms at all. They write directly to the scripts that update the member list (skipping over the registration form entirely). There are a lot of mods that add verification stuff to the forms, but they only worked until the bots became smarter...
Bots may have become 'smarter' but they are still dumb-ass programs written by jerks who would have less time on their hands to write them if they were smart enough to write useful code.